The NAIH Imposed a Fine of HUF 60,000,000 for Camera Data Processing!
The National Authority for Data Protection and Freedom of Information (NAIH) imposed a fine of HUF 60,000,000 (approx. EUR152,000) on a bank branch this year due to the inadequate availability of the data processing notice in relation to the operation of an electronic surveillance system.
The Facts
The authority’s investigation was initiated following a report; a customer attempted to conduct a transaction at an ATM outside of the bank branch’s opening hours, but the ATM malfunctioned. The customer wanted to access the data processing notice related to the electronic surveillance system operating at the ATM, which, according to the pictogram on the machine, was available in the customer area. However, the customer could not access it there (since the bank branch was closed), and no such notice was available online.
The customer requested the data controller to provide the ATM camera recordings and a copy of the conversation with customer service, but this was only provided three days after the deadline specified in the GDPR had passed.
During the authority’s proceedings, the data controller bank did not deny that the notice was only available in the customer area of the bank branch, but during the process, it reviewed its practice, made the notice available on its website, and ensured the establishment of a multi-level data processing notice (i.e., in addition to the pictogram at the ATM, a short notice was also placed alongside the more detailed notice in the customer area).
The Authority’s Decision
During the authority’s proceedings, the authority found that the data controller bank had failed to meet the information obligations stipulated by the GDPR, as the data processing notice was not accessible to affected individuals outside of the bank branch’s opening hours, despite personal data being processed during such periods.
The authority also determined that the data controller did not fulfill the customer’s request within the deadline.
It is important to emphasize that during the proceedings the authority did not only examine the specific case but also reviewed the data processing practices of all other bank branches of the data controller, which was taken into account when imposing the significant fine.
Lessons for Data Controllers
It is worth drawing lessons from the above-discussed case; most notably, that in cases of data processing involving an electronic surveillance system, it is crucial to act with great care and thoroughly consider where, how, and how detailed the information provided to the data subjects should be.
If you have specific questions or need legal assistance, the staff of BHKN Law Firm is at your disposal.
Book an appointment via email at office@bhknpartners.hu, or contact us through the provided contact details!
Kapcsolódó bejegyzések
Cybersecurity Compliance in 2025: What You Need to Know About the NIS2 Regulation?
Hungary’s new cybersecurity law introduces significant changes for businesses. This new legislation, which transposes the European Union’s NIS2 Directive into Hungarian law in greater detail than the previous—still relatively recent—Hungarian regulations, will come into effect on January 1, 2025. It imposes several new obligations on affected organizations. The law aims to strengthen national cybersecurity systems, enhance information security levels, and facilitate effective handling of cyber threats.
